Cyber Risk News
The number of compromised credentials detected in North American botnets has soared 141%, according to the latest quarterly analysis from Blueliv.
The cyber-threat intelligence vendor scans the open, deep and dark web for signs of stolen log-ins for its clients, so that they can take action before the cyber-criminals have had a chance to monetize their wares.
The large rise between the March to May and June to August quarters this year came alongside declines in other regions.
Europe and Russia saw a decrease of 22%, while compromised credentials geo-located to Asian botnets dropped by 36%. A sharp drop of detections (33%) in July and August in Europe and Russia matched a 77% increase in Asia, indicating a botnet may have been taken down in Europe while Asian campaigns thrived, according to the firm.
“All it takes is a single good credential for a threat actor gain access to an organization and cause havoc,” argued Blueliv CEO, Daniel Solís.
“We are observing a booming market for credential theft, and the latest statistics show that this sort of cybercrime is a truly global enterprise. By understanding the lifecycle of the compromised credential, CISOs seeking to protect their business and analysts looking for IOCs gain valuable information to shrink their attack surface.”
According to the firm’s recent report, The Credential Theft Ecosystem, once attackers have infiltrated targeted organizations via compromised credentials, they can access customer databases to harvest PII and/or user log-ins to sell on the dark web or use directly to commit identity theft.
Other potential impacts of corporate credential theft include blackmail, BEC, espionage, hacktivism and more.
“As long as credentials remain the preferred way for companies to authenticate their employees and customers, they’ll continue to be the weakest link in the cybersecurity chain,” the firm noted.
In terms of credential-harvesting malware, Pony, KeyBase and LokiPWS (also known as Loki Bot) were most popular, with Pony out in front, although LokiPWS samples increased 91% quarter-over-quarter.
The US authorities have arrested and charged an alleged officer in China’s Ministry of State Security (MSS) with trying to steal aviation secrets from American firms, in a move likely to enrage Beijing.
The charges were announced on Wednesday and reveal the alleged intelligence officer as Yanjun Xu (aka Qu Hui, aka Zhang Hui), a deputy division director with the MSS Jiangsu State Security Department, Sixth Bureau.
They claim that from at least December 2013 until his eventual arrest in Belgium, Xu targeted experts working at US aviation firms including GE Aviation. He recruited them to travel to China, often under the pretense of giving a university presentation, before paying travel costs and stipends.
The individuals were then allegedly asked to provide blueprints and other materials, which were handed over to engineers at a leading Chinese university.
“Innovation in aviation has been a hallmark of life and industry in the United States since the Wright brothers first designed gliders in Dayton more than a century ago,” said US attorney for the Southern District of Ohio, Benjamin Glassman.
“US aerospace companies invest decades of time and billions of dollars in research. This is the American way. In contrast, according to the indictment, a Chinese intelligence officer tried to acquire that same, hard-earned innovation through theft. This case shows that federal law enforcement authorities can not only detect and disrupt such espionage, but can also catch its perpetrators.”
The arrest of a Chinese intelligence officer is unprecedented: the US has indicted PLA officers in the past for allegedly hacking American companies, but that’s where it ended, as the individuals reside in China.
The latest move will do little to calm boiling tensions between the two superpowers, which are involved in a de facto trade war, amidst widely disputed reports that Chinese spies have infiltrated the supply chain for server components in a major espionage campaign against government and corporate targets.
If the news is true, it would seem to sound the death knell for an agreement between former President Obama and Xi Jinping in which China agreed to cease economic cyber-espionage.
Dmitri Alperovitch, co-founder of CrowdStrike, confirmed China's re-emergence as the world's most prolific cyber-espionage actor.
"From a cyber perspective, China is actively engaging in targeted and persistent intrusion attempts against multiple sectors of the economy, including biotech, defense, mining, pharmaceutical, professional services, transportation, and more. Currently, the MSS is the primary government agency engaged in the majority of cyber-attacks ... CrowdStrike has observed multiple intrusions demonstrating their sophisticated tradecraft," he explained.
"We believe China poses a long-term and strategic threat to the global economy, and today’s arrest of a senior MSS officer responsible for industrial espionage is an important deterrence tool in keeping the perpetrators accountable.”
Blockchain is revolutionizing the global economy, according to Nitin Uttreja and Ashish Dwivedi of CA Technologies. In their session, How Blockchain Is Revolutionizing Cybersecurity, Uttreja and Dwivedi said that blockchain companies enable banks to transact with other banks for improved efficiency of cross-border transactions.
“The distributed-ledger technology is not just restricted to the banking or financial world. Blockchain technology has the potential to disrupt nearly every industry, including healthcare, supply chain management, media, advertising, gambling, cloud and cybersecurity,” the presenters wrote.
Because it is so difficult to change or remove data once it is entered into the blockchain, the technology mitigates the risk of a single point of failure. It is a distributed database with a decentralized ledger database that is continuously growing. The technology is chronological and secured using cryptography.
Any changes are stored in a new block. “A small change in the input would give a completely different hash, making it infeasible to find two messages that produce the same hash,” Uttreja said. Attempting to make changes would produce a completely different hash, which would not match, so all the subsequent blocks would become invalid.
Yet “securing data by this technique is not good enough,” said Uttreja. “To counter we use proof of work or mining, which slows down the calculation of blocks. What we do in mining is take index, previous hash, timestamp and try to create a hash that specifies a certain criteria.”
As far as the application to cybersecurity, Dwivedi said that there are real-time use cases of blockchain in cybersecurity, including decentralized identity, cloud storage, passwords and securing IoT.
"The key challenge with digital is that individuals have no control over their personal data and do not know when it is shared with other institutions," the presenters wrote. Users leave personal information on complex servers. If that server is compromised, the user’s data is at risk. There are also challenges of centralized identity with storing personally identifiable information (PII) on a central depository and the potential of third parties accessing data without subject’s knowledge.
The blockchain solution is that the data becomes decentralized across a distributed database with peer-to-peer transmissions that use cryptographic hashing, Dwivedi said.
“Blockchain enables the creation of a decentralized distributed storage marketplace, with complete decentralization and true redundancy, total privacy, resulting in cost reductions.”
In welcoming attendees, CFO Debra Taylor said, “We recognize the important role we play and the obligation we have as an organization to be inclusive, respectful and free from bias or discrimination but also to develop a community that reflects the diverse public we serve.”
The event's focus was both inclusion and diversity, and attendees were asked to brainstorm the ways that organizations can create a more inclusive and diverse workforce. Deidre Diamond, co-founder and CEO of CyberSN, said that when she thinks about inclusion, she thinks about the GQ skills – the emotional intelligence.
“It’s been really cool to watch our industry put value to emotional intelligences,” Diamond said. “The reality is that studies have proven that diverse groups make better decisions because they can see a 365-degree view. Diverse groups bring more money to organizations.”
Diamond talked about the benefits of win-win communication, a skill long taught in sales but that has been absent across other silos. One attendee, who noted that he benefits from being a fourth-generation college-educated white male, said, “That’s really what we have to break away from.”
Another attendee talked about a session on STEAM (science, technology, engineering, ARTS, and math) that she had attended and the benefits of bring the arts into the cybersecurity field. “At the end of the day, if they’re an arts major, music major, why aren’t we bargaining and pitching to them? It’s about widening the pool,” said Kyle Kennedy, president of Brainbabe.
A common concern among the attendees was the ways in which the résumé limits a candidate's potential of actually getting hired because we are all judged by the content we share. “If the content doesn’t match the content of what hiring managers are looking for on their list, you’re not even in the pool,” Diamond said.
Changing the way that human resources crafts job descriptions and the way that hiring managers thing about the skills that are essential to the projects will open the door to a wider pool of candidates who bring more than technical expertise to their roles.
“DevOps is critical in the sense of introducing automation. Automation is important for managing complexity and minimizing human error, but the security team needs to be thinking about how to work with the DevOps teams so that they have an appreciation for security,” Shema said.
In the end, the apps that DevOps are building are being created for people, so it’s important to be working with them, working for them and building for them. While it’s easy to dismiss users and their behavior as foolish, it’s also sometimes true that developers are lazy and both behaviors create risk, Shema said.
In order to bring security to where the developers are, there needs to be a common language, particularly in meetings. By focusing on communication and having a clear framework for what needs to be discussed, Shema said, it is possible to turn DevOps in to DevSecOps.
“Putting security in the middle is intentional because you can’t tag security on at the end. Security is what ties the two together,” Shema said.
A good sense of a shared vocabulary between developers and security does exist with OWASP. “Those are really quick, off-the-cuff terms we can throw out so security practitioners and DevOps teams can quickly understand whether something is high risk or low risk, but there is a need for having a shared vocabulary in the meetings with DevOps in order to make the meetings more successful,” Shema said.
Different end users pose different risks, so the teams need to have discussions about the different ways to look at threat models that include the end user. To that end, Shema offered suggestions on how to make meetings more successful.
“Things like tabletop role-playing games that promote social interaction. They require people to get together and move toward a common goal,” he said. In many games, players encounter fights that happen between monsters and heroes, and they learn the skills necessary to overcome different challenges. Those skills translate over to dealing with people.
The coder or sysadmin play the barbarian, DevOps becomes the fighter, red teams morph into thieves while blue teams take on the role of clerics and the CISO plays the bard.
“It’s about ensuring that everyone gets a turn around the table so that there’s not one person monopolizing the conversation. When a single person is the only one talking, it erases other people’s voices,” Shema said. "Having an agenda keeps the meeting focused and avoids people going off topic. Then you can pull people in to make sure their voices are heard."
While these tactics are not revolutionary, Shema's purpose is to remind DevOps to rely on people when it comes to security policies.
UK supermarket giant Morrisons is in the Court of Appeal this week fighting to have overturned a judgement that it should compensate employees after a major insider data leak.
A High Court judge ruled last year that the company was “vicariously liable” for the actions of one of its employees, former internal auditor Andrew Skelton, who published the personal details of 100,000 employees online and sent them to several newspapers.
The leaked data included NI numbers, birth dates and bank account details, and Skelton was eventually jailed for eight years back in 2015.
Morrisons argued at the time that it had already paid around £2m to mitigate the breach. However, it was also awarded £170,000 in compensation, while employees got nothing.
In the UK’s first class action lawsuit, over 5000 of these employees subsequently took the supermarket chain to court, demanding compensation for the “upset and distress” caused by disgruntled insider Skelton’s actions.
The retailer’s lawyers are arguing this week that their client cannot be held “vicariously liable” because the Data Protection Act 1998 — the legislation in place at the time of the incident — excludes vicarious liability.
Representing the claimants, JMW Solicitors data privacy specialist, Nick McAleenan, argued that Morrisons is looking to protect its £374m annual profits rather than recognize the impact of the breach on its employees.
“This is a classic David and Goliath case — the victims here are shelf-stackers, checkout staff and factory workers; just ordinary people doing their jobs,” he reportedly said.
“They were obligated to hand over sensitive financial and personal information to Morrisons — including national insurance numbers, dates of birth and bank account details — and had every right to expect that information to be kept confidential.”
The infamous Magecart digital skimming code has been found again, this time inserted into a customer rating plugin used on thousands of e-commerce sites.
RiskIQ, which has been tracking the groups behind Magecart for a couple of years, was alerted to the latest discovery on September 15.
In that respect, it’s a supply chain attack of the sort seen with Ticketmaster partner and Inbenta Technologies rather than a direct web compromised as per British Airways.
It could be the same group as one which inserted Magecart into Feedify last month, as the two attacks shared the same server for exfiltrating skimmed card details to, according to RiskIQ threat researcher, Yonathan Klijnsma.
Interestingly, the attackers also made a mistake with the Shopper Approved campaign, initially forgetting to obfuscate their code, which has given RiskIQ some useful info.
Thanks to the speedy action of Shopper Approved — which removed the script two days later, lunched a full investigation and brought in forensic experts — only “a small fraction” of its clients were apparently affected.
Klijnsma argued that all e-commerce players should block third-party scripts from being displayed on checkout pages, to mitigate the Magecart threat — which has been traced to six groups, although there could be more out there.
“Magecart groups are carrying out a full-scale assault on e-commerce and show zero signs of stopping. These attacks are only getting more and more traction as the groups learn how to become more effective,” he concluded.
“While initial attacks involved low-tier Magento stores, later attacks targeted CDNs to increase their reach. Now, Magecart operatives have learned to tune the CDNs they compromise to ensure that the only sites they hit are online stores. To achieve their goals, they will go after any analytics company, CDN, or any service supplying functionality to e-commerce websites.”
Microsoft has issued the latest monthly round of security fixes, this time addressing half a century of vulnerabilities, including one critical zero-day and three which have been publicly disclosed.
The most pressing vulnerability to fix would appear to be CVE-2018-8453, a privilege escalation flaw in Win32 which means the OS fails to properly handle objects in memory.
“An attacker first needs to log into the operating system, but then can exploit this vulnerability to run code in the kernel and gain administrator privileges,” explained Ivanti director of product management, Chris Goettl. “This vulnerability has a Base CVSS score of 7 and is present in all operating systems with updates this month from Server 2008 through Windows 10.”
On that note, Microsoft has also released a fix for an issue which forced the firm to pause its Windows 10 October 2018 Update (version 1809).
According to Redmond, “an incorrect timing calculation may prematurely delete user profiles on devices subject to the ‘Delete user profiles older than a specified number of day’ group policy.” In effect, the bug deleted all customer files in their C:/Users/[username]/Documents/ folder, and rolling back to the previous version did not restore the files.
There’s been a fair amount of criticism from security experts as to how Microsoft managed to let such a major fault ship with its latest update, especially as the issue had been flagged in the past.
Elsewhere, three publicly disclosed bugs will need to be addressed, according to Rapid7 senior security researcher, Greg Wiseman.
“CVE-2018-8497 is another elevation of privilege vulnerability affecting Windows 10 / Server 2016 and newer,” he explained. “CVE-2018-8423 is an RCE in Microsoft's JET Database Engine and affects all supported versions of Windows. The third public vulnerability [CVE-2018-8531] is another RCE, relevant to developers who build products using the Azure IoT Hub Device Client C# SDK.”
As the threat landscape continues to evolve, many who are overwhelmed today may not have the time to think about whether they are prepared for the threats of tomorrow. Those who attended Viruses, Trojans, Worms, Malware and Ransomware: What’s Next and Are We Prepared? with Tony Cole, CTO, Attivo Networks, at the 2018 Security Congress learned that the future holds lots of security challenges that will be far more complicated than what they are facing now.
“We’ve just started with the problems we are seeing today. The world we live in is changing dramatically, and it’s absolutely astounding how quickly new innovations and new technology are changing our society,” Cole said.
Part of preparing for the future demands an understand of existing threats, and while it’s important to understand the differences between viruses, Trojans, worms, malware and ransomware, what’s more important to understand is that every organization is a target.
What began as a collection of people compromising websites for fame and fortune has evolved into nation-state attacks and organized crime the likes of Wannacry and Spectre. In order to prepare for the threats to come, it’s important that cybersecurity professionals start thinking about what Cole calls “the art of the possible.”
“I’m always surprised at how many companies don’t believe that they are a target,” said Cole. There are so many verticals that organizations are vulnerable to, whether its ransomware or the more mundane siphoning of power in crypto-mining.
“Crypto-mining is just getting started, or maybe we are just starting to detect. It’s evidence that if you write your code well enough so that it doesn’t have impact, most of the world is not going to notice it,” Cole said.
It’s the future, though, that is really scary to Cole. “We are sitting at the tip of the problem set. You can actually get an IP-enabled toaster to imprint different images on your toast. Why are you connecting these things? Why would you want a washing machine connected to anything?”
The internet of things (IoT) is a contributing factor to the unforeseen complications of the future because in an everything-is-connected world, attribution becomes much harder, not to mention that developers are looking to get their products to market quickly, which means that security is never a concern.
According to Cole, enterprises will spend $752 bn on IoT this year, and consumers will soon catch up to that. Other current trends include the bleeding of nation-state threats into the underground – as was the case with Eternal Blue. Companies are selling zero-day vulnerabilities, ransomware is burgeoning, and Chinese activity has substantially increased.
“People are going to have a lot more ways to hide in systems, and the technology evolution will continue to be used against us,” said Cole. Amid all the noise, though, there a ways of correcting the course. “Move to a cave and become a philosopher,” Cole advised.
Short of that, it’s key to remember that you are the target and you must adapt to the inevitability of a breach. Prepare for the inevitable by hunting, using active cyber defense, building a real security awareness training program and leveraging the home-field advantage.
“The enterprise belongs to you, not the attackers,” Cole said.
Community outreach is fast becoming a way to help raise cybersecurity awareness for the lay person, with many (ISC)2 chapters around the world working to educate their friends, parents, teachers and community members about cyber risks and online safety.
Toward that end, security leaders were recognized at Security Congress during the Information Security Leadership Awards luncheon. For his dedication to fostering a safe and secure online environment through his “Cyber Security for Dummies” project, Joseph Carson, CISSP, chief security strategist at Thycotic, received the Community Awareness award.
In recognition of her security education growth initiative, Rinki Sethi, CISSP, vice president of information security, Palo Alto Networks, was awarded the Senior Information Security Professional award.
In addition to the awards ceremony, the center hosted a panel discussion, How to Be a Community Rockstar, offering ideas from different (ISC)2 members and chapters on how to engage the community to raise awareness about staying safe online.
One common suggestion was that chapters can offer local scholarships to high school students who are interested in pursuing careers in cybersecurity. “We put together a program where we matched funds from our members, up to a certain number, then went out to schools to get people to apply. To generate interest, we offered naming rights to the scholarship. We posted our scholarships (for anyone pursuing a career in information security) and got some applications,” said Tony Howlett, CTO at Codero.
The Austin (ISC)2 chapter also visits with senior citizens to educate them on fraud and instituted a "bring your kids to chapter" day, as a way for kids to see what their parents do and to introduce other members to the resources that are available.
“It’s us and you,” said Patrick Craven, director of the Center for Cyber Safety and Education. “We are trying to create that awareness. It starts small, which sometimes means it’s not a local school but a local classroom. Talking to a teacher and getting a teacher interested. That’s part of creating the grassroots movement inside the schools.”
In advance of Cyber Safety Day – New Orleans, the Center for Cyber Safety and Education talked with cybersecurity practitioners at the 2018 Security Congress about how to talk to children about staying safe online.
Showcasing its curriculum that can be used by volunteers anywhere, the center encouraged audience members to get involved by either adopting a school or supporting scholarships. Patrick Craven, director of the Center for Cyber Safety and Education, and Ciera Lovitt, educational program specialist, were joined by Garfield, the star of the center’s educational outreach program for elementary schools.
Given that 90% of security incidents are the result of human error, the center’s goal is to educate people of all ages about good cyber-hygiene practices. For young kids, that includes topics ranging from cyber-bullying to passwords and computer security.
The center’s Children’s Internet Usage Study found that 40% of kids in grades 4-8 chatted with a stranger online. “Of those, 53% revealed their phone number to a stranger and 11% met with a stranger. It is crucial that our children learn how to be safe online and avoid being the target of cyber-criminals,” according to a press release.
In an effort to bring the content to more elementary school kids, the center is celebrating Cyber Safety Day – New Orleans, a one-day event created by the nonprofit to celebrate National Cybersecurity Awareness Month.
Participating schools will receive Garfield’s Cyber Safety Adventures – Lesson 1: “Privacy, Online Friends Are Not the Same as Real Friends,” which will be delivered on Wednesday, October 10, as part of Cyber Safety Day.
Over 2,300 students in New Orleans in 17 elementary schools city-wide will engage in the lesson using the cyber-safety education materials for free. As part of the event, former New Orleans Saints running back Deuce McAllister will also be visiting the classrooms with Garfield after the cyber-safety lesson.
Craven emphasized that educating a single child costs the nonprofit organization $2.17, and attendees were invited to donate to the rapidly growing cause. Craven noted that last year the center had 66 scholarship applications. This year, it had thousands.
The move will allow Centrify to move its focus to privileged access, as part of its strategy around the zero trust concept, while Idaptive’s offering includes single single-on, adaptive multi-factor authentication, enterprise mobility management and user behavior analytics as part of its Next-Gen access offering.
Tim Steinkopf will lead Centrify as CEO from January 1st 2019, while Danny Kibel, who currently leads development of Centrify’s IDaaS solutions as vice president of Engineering and Operations, will assume the CEO role at Idaptive effective January 1, 2019. Current Centrify CEO Tom Kemp will transition to an active strategic advisory role.
“The more we looked at our business, the clearer it became that a huge opportunity existed to create two organizations that can each better focus on innovation, accelerate their respective roadmaps, and ensure customer success,” said Steinkopf.
“As traditional network perimeters dissolve, organizations must discard the old model of ‘trust but verify’ that relied on well-defined boundaries. Zero Trust mandates a ‘never trust, always verify, enforce least privilege’ approach to privileged access, from inside or outside the network. This model, which we call Zero Trust Privilege, will be Centrify’s singular focus, leveraging years of innovation and leadership to secure the ‘keys to the kingdom’ for our customers.”
Kibel said that without intelligent access, companies risk poor security postures, data breaches and frustrated customers. “At Idaptive, we’re building this platform we call ‘Next-Gen Access’, ushering in a new generation of access technology that not only protects companies, but also leads to improved customer satisfaction.”
In an email to Infosecurity, Garrett Bekker, principal analyst in the information security practice at 451 Research, said that he expected to see both Centrify and Idaptive look to expand their capabilities both organically as well as potentially via M&A, considering the acquisition of Centrify by Thoma Bravo.
He added: “Centrify will continue on with a renewed focus on its flagship privileged access management business, where it will compete with the likes of CyberArk and now Bomgar, after having acquired Lieberman Software, Avecto and most recently, BeyondTrust, as well as One Identity. With respect to IDaaS and Idaptive, the market in recent years has really coalesced around a few vendors: Okta, Microsoft, OneLogin, Ping and with a new focus, Idaptive hopes to be a force here as well.”
However Andras Cser, VP and principal analyst security and risk management at Forrester Research, said he did not think it was a good move for Centrify, as while it does provide a better ability to compete with CyberArk and Bomgar with a separate focus, he felt that there would be a “loss of focus on business use to privileged user continuity.”
The BBC has reported over 170 lost or stolen devices over the past two years, highlighting the challenges associated with managing a large mobile workforce.
Think tank Parliament Street submitted Freedom of Information requests to the national broadcaster which revealed that 81 devices were lost and 91 stolen over the past two financial years.
These included laptops, mobile phones and tablets, at an estimated total cost of at least £109,000. Eighty mobile phones, 82 laptops including MacBooks and high-end HP EliteBooks, eight iPads and even two desktop computers were apparently lost or stolen.
“The BBC employs about 20,000 people and the number of items lost or stolen is relatively small, however, it is regrettably inevitable some items will occasionally go missing,” read a statement from the corporation. “The BBC takes incidents of crime seriously and we are constantly implementing and reviewing measures to reduce crime and recover lost and stolen items.”
Experts explained that, in the new GDPR era, encryption is essential.
“Encryption is one of the few technical controls explicitly called out by GDPR, as its proper use means that device loss is purely the loss of a physical asset, as opposed to the more serious loss of information, which leads to reporting requirements and potential fines,” Becrypt CEO, Bernard Parsons, told Infosecurity.
“Choosing an encryption solution for laptops that has some form of third-party validation, such as NCSC assurance, allows an organization to confidently address both risks and liabilities. But equally important is that technology does not inhibit user experience. Poorly implemented security leads to user bypass, such as passwords on stick-it notes, that can actually increase an organization’s risk. NCSC have some great guidance on appropriate password policies that balance security with user needs.”
He added that mobile device management platforms should be adopted to enforce mobile policies like screen-lock and remote wipe in the event of loss or theft.
“Organizations that are higher-threat targets need also to be aware that lost devices can be used to carry out subsequent attacks on the company’s networks, particularly as many organizations host MDM servers outside of their more secure networks,” Parsons concluded.
Google has decided to shut its failing social network Google after a bug in one of its APIs was found to have exposed the personal details of half a million users.
The vulnerability in question was found and “immediately patched” during an audit of third-party developer access to the platform known as Project Strobe.
“Users can grant access to their Profile data, and the public Profile information of their friends, to Google apps, via the API. The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public,” explained VP of engineering, Ben Smith.
“This data is limited to static, optional Google Profile fields including name, email address, occupation, gender and age. It does not include any other data you may have posted or connected to Google or any other service, like Google posts, messages, Google account data, phone numbers or G Suite content.”
Rather controversially, the bug discovery happened in March of this year, with Google electing not to inform customers immediately.
“We made Google with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug,” said Smith. “However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”
He added that none of the thresholds were met to go public with the news, taking in to account the type of data involved, its ability to accurately inform users, evidence of profile data being misused or developers abusing the API.
Although a business version of Google will remain for corporates to use internally, the consumer platform will be closed.
“The review did highlight the significant challenges in creating and maintaining a successful Google that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google , we decided to sunset the consumer version of Google ,” explained Smith.
“To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data.”
High-Tech Bridge CEO, Ilia Kolochenko, claimed the vulnerability's discovery is another example of why a bug bounty program is not a silver bullet for web security.
“Application security is a multi-layered approach process that requires continuous improvement and adaptation for new risks and threats,” he added. “Such vulnerabilities usually require a considerable amount of efforts to be detected, especially if it reappears on a system that has been already tested. Continuous and incremental security monitoring is vital to maintain modern web systems secure."
Heathrow Airport Limited (HAL) has been fined £120,000 for serious data protection failings after a USB memory stick containing the personal details of employees was lost last year.
UK privacy watchdog the Information Commissioner’s Office (ICO) subsequently found that just two of the airport’s 6500 staff had been trained in data protection.
The thumb drive in question was found by a member of the public on October 16 last year and handed to a national newspaper, which made a copy, before returning it to the airport.
The drive, which was neither encrypted nor password protected, apparently contained 76 folders and over 1000 files.
However, the number of employees who had data exposed was relatively small: 10 individuals’ names, dates of birth, passport numbers and other details were mentioned in a training video while 50 aviation security staff were also affected, according to the ICO.
Aside from HAL’s oversight regarding training and awareness, the ICO also found widespread use of removable media at the airport, despite official policy to the contrary, and insufficient controls preventing data being downloaded to such devices.
The case was considered under the old data protection regime and not the GDPR because of the time frame involved.
“Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise,” said ICO director of investigations, Steve Eckersley.
“Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them.”
Once informed of the incident, HAL is said to have promptly reported it to the police, worked to contain the issue and enlisted the help of a vendor to monitor the internet and dark web for signs of the data.
Peter Carlisle, VP EMEA, at Thales eSecurity argued that encryption is a must-have in today’s business environment.
“The impact of any data breach is dramatically minimized if encryption is used to protect data, as encrypted data is of no value to thieves or hackers,” he added.
Director of game research and development for the Institute for the Future, Jane McGonigal, opened her luncheon keynote at the 2018 Security Congress with what she considered exciting news by announcing that human beings have reached a milestone: People spend 2.5 billion minutes a day playing League of Legends.
“To put that in perspective, that’s the equivalent of having a company of 20,250,833 employees who do nothing but play League of Legends all day,” McGonigal said. Lest the audience grow too alarmed, McGonigal quickly launched into evidence supporting the theory that playing games actually has a positive impact on productivity.
Recognizing that many might see gaming as a waste of time, McGonigal argued that this idea is a misconception. “I think the reason why we fear it is a waste of time has to do with a misconception that most of us hold from when we are very young, and we hold it for our entire lives.”
The opposite of work is not play, but depression, McGonigal argued. Play, in fact, induces optimism and fosters hope for success. The curiosity that comes from gaming can then be applied to cybersecurity through task switching. McGonigal suggested that a gaming "warm-up’"can actually create a "super-powered hopeful individual" – playing a game for 10 minutes serves as a preparation tool to shift into problem-solving in the real world.
Before tasking the audience with a challenge, McGonigal explained, “I make things that allow users to figure out how to tackle some of the toughest challenges of our time. What are the problems we face as a planet and how can we lift people from feeling anxious, hopeless or helpless into feeling they are empowered?”
Answering that question, McGonigal said that bringing gamers and the cybersecurity community together is key to thinking like a futurist. “They can work together to do a much better job of anticipating the long-term social impact of the technologies we create and integrate into our organizations and bring into our families and lives."
Some in the audience scoffed at her suggestion that we are all Mark Zuckerberg now, but McGonigal went on to explain, “We are all responsible for the role we play in adopting technologies and popularizing technologies and bringing impact into our organizations. Those who design technology, build technology and sell technology have their role in this as well.
“It’s up to all of us to think with a little bit more foresight. Are we building the future that we want? What might go wrong, and what actions can we take today to avoid these things going wrong?” The skills learned through gaming are preparing a generation of people to anticipate the impact technology may have on the future in order to better secure it, according to McGonigal.
In his opening keynote to members attending this year’s (ISC)2 Security Congress in New Orleans, CEO David Shearer talked about the resilience of the city in the aftermath of several hard-hitting natural and human created disasters noting, “It’s hard not to be inspired by the resiliency of this region.”
Using New Orleans as a model for resilience, Shearer said, “In my experience resiliency to respond to complex challenges is directly linked to a thorough understanding or a holistic view of the challenges you are likely to face." Shearer also commended the first responders of the region for having a deep understanding of their missions – dealing with bad situations and responding appropriately to the unpredictable.
Addressing the audience of cybersecurity professionals, Shearer said it is equally as important that, like first responders, experts in the industry do not approach their work through fear, uncertainty and doubt. “They plan for it, they drill for it, they are ready for it. It’s ingrained in what they do and who they are. We need to have a similar mentality about the growing threats we face,” Shearer said minutes before introducing Louisiana congressman Cedric Richmond.
Rep. Richmond, who currently serves on the House Committee on Homeland Security and the House Committee on the Judiciary, validated the need for planning and preparation in noting, “This conference comes at a pivotal time in our nation’s history and future. The secretary of Homeland Security recently warned that the next attack the magnitude of 9/11 won’t involve airplanes. It will be a cyber-attack.”
Systems at all levels are under attack at all times, Richmond said, which has provoked local, state and national conversations about what is needed to protect the economy and preserve the American way of life.
“First, federal, state and local governments must be structured and funded to properly protect against, investigate and remove malware on their systems and to serve as effective cyber-defense partners with the private sector,” Richmond said.
Advocating that the industry look to candidates with nontraditional backgrounds, the congressman also said, “We need a robust cybersecurity workforce to support both the private and public sectors.”
Educating the public on good cyber hygiene and building partnerships between the private and public sector will also help to advance the understanding of why cybersecurity matters. “Although we have made progress in these areas, progress has been too slow and too inconsistent. A game plan has to give everyone clear assignments and responsibilities. If people’s assignments aren’t clear, players and bad actors go uncovered. That’s how you lose a game,” Richmond said.
Before launching into the content of her talk, Enterprise Security Awareness Programs That Work, at the 2018 (ISC)2 Security Congress, Theresa Frommel, acting deputy CISO for the state of Missouri, confronted the elephant in the room, asking the audience, “How many of you are nonbelievers?”
When asked whether their programs were delivered only annually, many in the room mumbled yes. Frommel also received affirmation from the audience when she asked, “Most of you are not doing repetitive monthly trainings?”
Many organizations still don’t understand why security awareness training programs matter when they don’t see significant improvements in end user behavior, but Frommel said behaviors can change.
Missouri consists of 600 municipalities comprising 114 counties that broken into 30 state agencies across all legislative and judicial branches. Of the 40,000 employees, the state boasts 950 IT staff of which 20 are in the office of cybersecurity.
Why do companies need effective security awareness programs? Primarily because, Frommel said, 90% of breaches are the result of phishing attacks.
"In the first quarter of 2018, phishing activity trends were up 46%. More than a third of phishing sites were hosted on sites with HTTPS and SSL certificates, and the number of sites hosting phishing pages rose from 60,000 at the beginning of 2018 to 113,000 in March,” Frommel said adding in a reminder that many of the high profile breaches in the past several years were the result of someone opening a phishing message.
That’s why an effective awareness program needs to understand human behavior, Frommel said. Phishing campaigns are successful because attackers hit the emotion of fear and uncertainty.
“Sometimes it’s hard to blame the user because they are thinking and asking, ‘Am expecting an attachment? Do I know this user?’ and the answer is yes,” Frommel said.
In advising the audience on how to mitigate the human risk, Frommel assured, “Human behavior can be changed. Make users another security control, not a security problem. Phishing is no different than any other swindle, but technology can only mitigate email risk to a point. Training should be frequent, brief, targeted and able to change people’s thought processes, which over time, changes the culture.”
Recognizing that technology is only going to go so far, it’s incumbent upon security practitioners to keep encouraging change and thought processes. As for Missouri, it has 40,000 interactive lessons deployed monthly that are 10-15 minutes in length with each lesson focusing on a different topic. Additionally, agencies compete against each other through gamification.
Part of successful programs requires that you are able to track results and ensure employee participation, but it’s also critical that you are able to recognize when the content has become stale and be able to adapt to find more engaging material, said Frommel.